arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Vendor Authorized Boot is a security feature for authenticating
the images such as U-Boot, ARM trusted Firmware, Linux kernel,
device tree blob and etc loaded from FIT. After those images are
loaded from FIT, the VAB certificate and signature block appended
at the end of each image are sent to Secure Device Manager (SDM)
for authentication. U-Boot will validate the SHA384 of the image
against the SHA384 hash stored in the VAB certificate before
sending the image to SDM for authentication.
Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>
diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-socfpga/Kconfig
index 9b1abda..0c35406 100644
--- a/arch/arm/mach-socfpga/Kconfig
+++ b/arch/arm/mach-socfpga/Kconfig
@@ -6,6 +6,21 @@
config NR_DRAM_BANKS
default 1
+config SOCFPGA_SECURE_VAB_AUTH
+ bool "Enable boot image authentication with Secure Device Manager"
+ depends on TARGET_SOCFPGA_AGILEX
+ select FIT_IMAGE_POST_PROCESS
+ select SHA384
+ select SHA512_ALGO
+ select SPL_FIT_IMAGE_POST_PROCESS
+ help
+ All images loaded from FIT will be authenticated by Secure Device
+ Manager.
+
+config SOCFPGA_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE
+ bool "Allow non-FIT VAB signed images"
+ depends on SOCFPGA_SECURE_VAB_AUTH
+
config SPL_SIZE_LIMIT
default 0x10000 if TARGET_SOCFPGA_GEN5